In the first article in this series on using EAP-TLS certificate authentication for VPN client connections, we began our discussion by configuring the RADIUS server and finished up by setting up Remote Access Policies and changing the domain functional level. In this article, we’ll look at how to configure the ISA Firewall’s VPN server to support our EAP/TLS VPN client connections, and then request a certificate for the ISA Firewall.

Enable the VPN Server on the ISA Server 2004 firewall and configure RADIUS Support

With the RADIUS configuration and Remote Access Policies in place, we can now start configuring the ISA Server 2004 VPN server. We will first enable the VPN server and then configure the VPN server to support RADIUS authentication.

Perform the following steps to enable the VPN server and configure it for RADIUS support:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click on the Virtual Private Networks (VPN) node.

In the VPN Clients Properties dialog box, click the Groups tab. On the Groups tab, click the Add button.

In the Select Groups dialog box, click the Locations button. In the Locations dialog box, click the msfirewall.org entry and click OK.

In the Select Groups dialog box, enter Domain Users in the Enter the object names to select dialog box. Click the Check Names button. The group will become underlined when it is found in the Active Directory. Click OK.

Figure 2

The domain group appears on the Group tab.

Figure 3

Click the Protocols tab. Put a checkmark in the Enable L2TP/IPSec checkbox.

Figure 4

Click the User Mapping page. Put a checkmark in the Enable User Mapping checkbox. Put a checkmark in the When username does not contain a domain, use this domain checkbox. In the Domain Name text box, enter the Internal network domain, msfirewall.org. Click Apply and then click OK.

Figure 5

Click the Specify RADIUS Configuration link on the Tasks tab.

Figure 6

On the RADIUS tab, put a checkmark in the Use RADIUS for authentication checkbox.

In the Add RADIUS Server dialog box, enter the name of the IAS server machine in the Server name text box. In this example, the name of the IAS server is EXCHANGE2003BE.msfirewall.org. Enter a description of the server in the Server description text box. In this example, enter the description IAS Server. Click the Change button.

Figure 9

In the shared secret dialog box, enter a New Secret and then Confirm new secret. Make sure this is the same secret that you entered in the IAS server configuration at the IAS server machine. Click OK.

Click the Authentication tab in the Virtual Private Networks (VPN) Properties dialog box. Remove the checkmark from the Microsoft encrypted authentication version 2 (MS-CHAPv2) checkbox. Place a checkmark in the Extensible authentication protocol (EAP) with smart card or other certificate checkbox.

The ISA Server 2004 firewall will be able to accept incoming VPN connections after the restart. However, the VPN clients cannot access any resources on the Internal network because there are no Access Rules enabling this access. You must create an Access Rule that allows members of the VPN clients network access to the Internal network. In contrast to other combined firewall VPN server solutions, the ISA Server 2004 firewall VPN server applies access controls for network access to VPN clients.

In this example you will create an Access Rule allowing all traffic to pass from the VPN clients network to the Internal network. In a production environment you would create more restrictive access rules so that users on the VPN clients network have access only to resources they require.

Perform the following steps to create an unrestricted access VPN clients Access Rule:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and click the Firewall Policy node. Right click the Firewall Policy node, point to New and click Access Rule.

In the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we will name the rule VPN Client to Internal. Click Next.

On the Rule Action page, select the Allow option and click Next.

On the Protocols page, select the All outbound protocols option in the This rule applies to list. Click Next.

On the User Sets page, accept the default setting, All Users, and click Next.

Figure 15

Click Finish on the Completing the New Access Rule Wizard page.

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box. The VPN client policy is now the top listed Access Rule in the Access Policy list.

Figure 16

Issue Certificates to the ISA Server 2004 Firewall and VPN Clients

You can significantly improve the level of security provided to your VPN connection by using the L2TP/IPSec VPN protocol. The IPSec encryption protocol provides a number of security advantages over the Microsoft Point to Point Encryption (MPPE) protocol used to secure PPTP connections. While the ISA Server 2004 firewall VPN supports using a pre-shared key to support the IPSec encryption process, this should be considered a low security option and should be avoided if possible. The secure IPSec solution is to use computer certificates on the VPN server and VPN clients.

By default, the ISA Server 2004 firewall is locked down with strong access controls. You will need to enable a System Policy Rule that allows the back-end firewall to communicate with the enterprise CA on the internal network.

Perform the following steps to enable the System Policy Rule on the back-end ISA Server 2004 firewall:

In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node.

Right click the Firewall Policy node, point to View and click Show System Policy Rules.

In the System Policy Rule list, double click on the Allow HTTP from ISA Server to all networks for CRL downloads System Policy Rule.

Figure 17

In the System Policy Editor dialog box, put a checkmark in the Enable checkbox on the General tab. Click OK.

Figure 18

Click Apply to save the changes and update the firewall policy.

Click OK in the Apply New Configuration dialog box

Issue a Certificate to the ISA Server 2004 Firewall/VPN Server

The next step is to issue a computer certificate to the ISA Server 2004 firewall VPN server. Perform the following steps on the ISA Server 2004 firewall to request a certificate from the enterprise CA on the Internal network:

Open Internet Explorer. In the Address bar, enter http://10.0.0.2/certsrv and click OK.

In the Enter Network Password dialog box, enter Administrator in the User Name text box and enter the Administrator’s password in the Password text box. Click OK.

Click the Request a Certificate link on the Welcome page.

On the Request a Certificate page, click the advanced certificate request link.

On the Advanced Certificate Request page, click the Create and submit a request to this CA link.

On the Advanced Certificate Request page, select the Administrator certificate from the Certificate Template list. Place a checkmark in the Store certificate in the local computer certificate store checkbox. Click Submit.

Click Yes in the Potential Scripting Violation dialog box.

On the Certificate Issued page, click the Install this certificate link.

Click Yes on the Potential Scripting Violation page.

Close the browser after viewing the Certificate Installed page.

Click Start and then click the Run command. Enter mmc in the Open text box and click OK.

In the Console1 console, click the File menu and the click the Add/Remove Snap-in command.

Click Add in the Add/Remove Snap-in dialog box.

Select the Certificates entry in the Available Standalone Snap-ins list in the Add Standalone Snap-in dialog box. Click Add.

Select the Computer account option on the Certificates snap-in page.

Select the Local computer option on the Select Computer page.

Click Close in the Add Standalone Snap-in dialog box.

Click OK in the Add/Remove Snap-in dialog box.

In the left pane of the console, expand the Certificates (Local Computer) node and then expand the Personal node. Click on the \Personal\Certificates node. Double click on the Administrator certificate in the right pane of the console.

In the Certificate dialog box, click the Certification Path tab. At the top of the certificate hierarchy seen in the Certification path frame is the root CA certificate. Click the EXCHANGE2003BE certificate at the top of the list. Click the View Certificate button.

On the File to Export page, enter c:\cacert in the File name text box. Click Next.

Click Finish on the Completing the Certificate ExportWizard page.

Click OK in the Certificate Export Wizard dialog box.

Click OK in the Certificate dialog box. Click OK again in the Certificate dialog box.

In the left pane of the console, expand the Trusted Root Certification Authorities node and click the Certificates node. Right click the \Trusted Root Certification Authorities\Certificates node, point to All Tasks and click Import.

Click Next on the Welcome to the Certificate Import Wizard page.

On the File to Import page, use the Browse button to locate the CA certificate you saved to the local hard disk and click Next.

On the Certificate Store page, accept the default settings and click Next.

Click Finish on the Completing the Certificate Import Wizard page.

Click OK on the Certificate Import Wizard dialog box informing you that the import was successful.

Note:You will not need to manually copy the enterprise CA certificate into the ISA Server 2004 firewall’s Trusted Root Certification Authorities certificate store because the CA certificate is automatically installed on domain members. If the firewall were not a member of the domain, then you would need to manually place the CA certificate into the Trusted Root Certification Authorities certificate store.

Summary

In this article we continued our series on how to use EAP-TLS authentication for remote access VPN client connections. We started with configuring the ISA Firewall to use the RADIUS server. Then we configured the ISA Firewall’s remote access VPN client server component and created access rules to support the VPN clients. Then we finished up by requesting a certificate for the ISA Firewall and installing the certificate into the ISA Firewall’s machine certificate store. Next week we’ll finish up by installing the certificates on the VPN clients and testing the L2TP/IPSec and PPTP connections.

Tom Shinder

Tom Shinder is a Program Manager at Microsoft and has two decades of networking and security experience. He has written dozens of books, thousands of articles, and spoken at large industry conferences on the topics of IT infrastructure, Cloud computing, and cybersecurity. In his free time, Tom enjoys participating in equine prediction markets.

SUBSCRIBE

Get the most recent articles straight to your inbox!

Recommended

Follow Us

TECHGENIX

TechGenix reaches millions of IT Professionals every month, and has set the standard for providing free technical content through its growing family of websites, empowering them with the answers and tools that are needed to set up, configure, maintain and enhance their networks.